Archive for December, 2012

As part of membership requirements, each year, all chapters of the Honeynet Project must post annual reports that detail what their chapter members have been working on during that period. The reporting period got a bit mixed up recently, so this is the UK Chapter’s annual report for both 2011 and 2012. You can find the status reports for other Chapters on the main Honeynet Project website.

ORGANIZATION

As you may have noticed from the lack of recent updates to our UK Chapter blog, during this period our members have either mostly been involved in activities under the core Honeynet Project, rather than UK-specific chapter activities, or have been busy with personal/professional lives so have had limited time to contribute here. That has unfortunately reduced public facing UK Chapter activity to lowest point in many years.

We have had a number of membership inquiries during this period, and potentially could increase our chapter membership, but to be honest, we have avoided bringing in new UK Chapter members whilst UK activity levels were low and no-one had the time to adequately support new members. Hopefully that situation will improve in 2013 and we’ll see increased UK Chapter output once again.

DEPLOYMENTS

During this period we have had a mix of honeynet technologies deployed. Some have been part of long term data collection efforts, whilst others have been shorter term deployments – often for testing of new tools.

Long term deployments:

1) [David] Our version 1 HonEeeBox pre-packaged (Nepenthes) low interaction sensor project was active at the start of this reporting period, but has since switched over to the version 2 HonEeeBox system. Although the version 1 system is no longer being maintained, Just for reference purposes, two of the original HonEeeBox v1 sensors are still running and the total amount of data collected to date by the old system is:

Sensors: 43

Total Attacks: 2,401,582

Total Attacker IPs: 36,632

Total Victim IPs: 214

Total MD5sums: 4,665

Total malicious binary size: 559 Mbytes

2) [David] Like the v1 Nepenthes based HonEeeBoxes, the first releases of the Dionaea powered HonEeeBox v2 system still initially submitted data to a submit_http backend, which was developed during GSoC 2011. We have run a honey cloud hosted instance of that old backend, plus a couple of sensors for most of this period. The data has only been retained for historical purposes.

3) [David] Later v2 Dionaea based HonEeeBoxes were HPFeeds-enabled, and we have been submitting data to the Honeynet Project’s shared HPFeeds system from multiple physical and virtual sensors since it went live. These are a mix of Asus EeePC based physical HonEeeBoxes on domestic ADSL/FTTC lines, or cloud provider hosted VM instances. Current rough volumes of Dionaea events captured through HPFeedsvto date are:

Sensors: 44

Total Attacks: 14,552,708

Total Attacker IPs: 300,451

Total Victim IPs: 2,410

Total MD5sums: 7,865

Total malicious binary size: 2.6 Gbytes

Data and binary samples collected from each of the above systems were shared with the Shadowserver Foundation and VirusTotal, for automated AV and sandbox analysis, and hopefully eventual remediation of infected hosts. Enriched data has has also been logged locally in an instance of the GSoC 2012 HonEeeBox backend project, that we hope to continue developing with the student Gyoergy in 2013. Longer term we hope to be able to expand the number of sensors to 100+ and release public visualizations of these attacks.

5) During the start of this period David was still running a legacy Global Distributed Honeynet (GDH2) high interaction sensor node on a domestic DSL connection (since disabled). That included a Honeywall plus a mix of low and high interaction honeypots, mostly on Linux.

6) At points during this period, David ran a mix of Capture-HPC high interaction client honeypots, HoneySpiderNetwork low/high interaction client honeypots, and PhoneyC and Thug low interaction client honeypots.

7) David has helped provide the infrastructure used by other Project members in various botnet related studies and takedown activities. More information about these activities will hopefully eventually be made public.

RESEARCH AND DEVELOPMENT

During this period we built or worked on the following tools:

1) [David]HonEeeBox pre-packaged low interaction honeypot sensor system and associated back/front ends. We hope to continue this development work in 2013, increasing the number of sensors, adding low interaction SSH honeypot capabilities through Kippo, adding options for centralized monitoring and management, and perhaps including proxy/client honeypot elements too.

2) David and Arthur were mentors for GSoC 2011/2012 on HonEeeBox backend and front end development, which we also hope to continue in the future, eventually releasing a public Django/JS based user interface to replace the previous private ExtJS based HonEeeBox v1 prototype interface.

3) Minor support for our Honeysnap tool, when end user requests or bug reports were received.

4) We have tried to provide suggestions for improving some existing tolls or adding new features to new projects, such as the excellent Cuckoo Sandbox or aging Honeywall system.

For our current R&D activities:

1) David built a number of data visualization tools based on Processing.org, but didn’t get around to publicly releasing them. He very much hopes to rectify this failing in 2013

2) Arthur is currently working on a pastebin scraping system, which will hopefully generate some interesting data for future analysis.

3) David has recently been working on spam pots with CERT.BR and the Shadowserver Foundation, which will become part of a larger scale distributed honeypot effort in 2013.

4) David has some ideas for next generation honeynet data capture systems and is currently exploring them. Will eventually share concepts and prototypes with members then the public at a suitable point.

5) Earlier in 2012 David ported the HonEeeBox system to the Raspberry Pi platform, to potentially provide another very low cost means of potentially distributing low interaction honeypot sensor systems. He will attempt to blog this information and release a disk image here in the next few days. Apologies to anyone waiting to use it for the delay!

In general, we are still interested in large scale distributed honeynet sensor deployments and the tools necessary to store/manage/automate/visualize collected data. We would also like to see the ongoing development of high interaction honeypot technologies, or next generation alternatives for gathering such data. We’d like to continue to collaborate with anyone interested in the same goals, and to perhaps also run some more UK-focused future activities too.

FINDINGS

Unfortunately nothing to be shared with the public at this time except the observation that running public internet facing low interaction honeypots to detect network spreading malware generally only results in a lot of Conficker samples!

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

Since last chapter status report, recent speaking engagements for David were:

David will be teaching a 2 days hands-on honeynets class at the Honeynet Project’s next annual workshop in Dubai (which should be another great international event if you are interested in the cutting edge of honeynet R&D, so please check it out!), along with hopefully leading discussions again during private workshop events on honeynet R&D, GSoC and HonEeeBox, amongst others.

UK Chapter members have also attended UK-specific industry events such as Infosec UK and JANET meetings. Jamie presented at OWASP Birmingham in September and OWASP Edinburgh in November.

We continue to be active on both internal and external IRC and email, although UK-specific blogging activity has been poor. Chapter members have been involved in various Honeynet Project committee mailing lists, such as annual workshop organization, membership committee and infrastructure support. Members also individually participate in various other open or closed info-sec vetted communities too.

GOALS

Since most activity by UK Chapter members was general Honeynet Project activity, we would like to continue to remain active members but also try to increase UK-specific activity.

We would like to see the recent GSoC work on HonEeeBox sensor back/front ends result in a public UI release.

We would like to release some interesting visualisations of existing data sets, then try and engage the wider infosec and data visualisation communities on how best to improve them. We may try and run a series of public Data Visualisation challenges in 2013.

MISC ACTIVITIES

Other activities that our Chapter members have been involved in during this period:

David was a Director of the Honeynet Project in 2011 and remains the Chief Research Officer (CRO). Involvement with various fund raising efforts and proposals (some under NDA), some of which resulted in additional financial support for the Honeynet Project‘s annual workshops in 2012 and 2013, and some of which are ongoing.

David collaborated on a EPSRC network proposal with Queens University Belfast Information Security Centre.

MENTORING

David was a GSoC student project mentor in 2011 and 2012 (and GSoC Org admin), Jamie was a student project mentor in 2010 and 2012. Arthur was a GSoC student project mentor in 2012 and helped with student selection in 2011.